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This docxanent describes changes made to the SDS 930 used in the Berkeley- 
Time- Sharing System. 

1.0 GEHERAL 

Every imilti- programming computer system raast 136 able to provide isolation 
between the independent concurrent operating programs. Otherwise, such programs 
may interfere by overwriting each other with data, by transferring control to 
each other, by attempting to use the saine input/output devices, or by halting 
or otherwise hanging up the computer. Memory protection, the trapping of l/O 
and illegal instructions, and centralized, system-controlled I/O will usually 
solve isolation problems. The problems of relocation of program areas and 
allocation of storage among the concurrent programs arise when main memory 
cannot contain all of the concurrent programs and it is necessary to move them 
to and from secondary storage, A mechanism which provides a solution to the 
relocation and allocation problems and also provides memoiy protection is 
discussed in Section 3.0. 
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2.0 ERIVILEGED INSTRUCTIOHS 

To insure mutual isolation of users' programs, it is necessary to restrict 
users to a subset of 930 orders. Forbidden orders are termed "privileged in- 
structions". In essence, the absence of privileged instructions from the normal 
repertoire redefines the machine which the user has at his disposal. We there- 
fore thinfc of two computers (more precisely, two modes of operation of the 930) 
— a user ' s mode and an executive or monitor mode. Because both modes entail 
changes in programming conventions in the 93O, it is necessary to have a third 
°^ normal mode. The mode of the machine is set by an ECM and control transfers 
as described in Section 6.0. 

The set of privileged instructions consists of all undefined order codes, 
halt, all input/output orders, and all sense orders except for overflow test. 
An attempt to execute a privileged instruction while in user mode will result 
in the execution of a HOP instruction and, subsequently, a trap to location kOo. 
The program coiinter (P counter) is not incremented during the execution of the 
NOP instruction. Consequently, the address stored by the BRM instruction in 
location kOn is that of the offending instruction. 

Privileged operation codes are: 00, 02 (except 20 00001 and 20 00010 ), 
03, Ok, 05, 06, 07, 10, 11, 12, 13, 15, 21, 22, 2l^, 25, 26, 27, 30, 31, 32, 33, 
3^4-, 40 (except the combination ko 20001, the overflow test), 42, hk, k^ and kl . 

Defined instructions included in the above list are 00 HLT, 02 ECM (except 
ROV and REO), 06 EOD, 10 MIY, n BRI (cf. Sect. 5-3), 12 MIW, 13 POT, 30 YIM, 
32 Wm, 33 PM, and all kO SKS (except OVT). 



* The term "trap" is to be distinguished from the interrupt defined by SDS. 
/^A The trap is a forced transfer to a fixed location; hence a trap routine is 
^ — y interruptable by any other interrupt or trap condition. 
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3 . MEMOiRY EELABELIHG 

The address field of the 930 consists of the rightmost llj. tits, permitting 
programs to access directly 16K of core. A memory extension register is pro- 
vided to allow programs to access 32K. The use of this register is described 
in detail in the SDS 930 Computer Reference Manual.* 

The standard SDS memory extension is not used in the time-sharing system. 
Rather, the following memory relabeling scheme has been iaiplemented: 

Eight relabeling registers of six bits each are laid out in two 

registers RLl and RIi2 as follows: 

RLl RIi2 



^0 


\ 


\ 


h 



R, 



R. 



W 



h 



6 12 18 6 12 

Eax:h of these eight registers contains information as shown below: 
R. 



F. 



G. 

X 



where F. is a flag bit and G is the least significant 5 bits of R. . Thus R. 

may be thought of as a 5-bit register G. with aji associated flag F, . 

When relabeling, the contents of G., where i is the value of the three 
most significant bits of the address, are concatenated with the least 
significant eleven bits. Thus, the address 
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*Cf . SDS 930 Conrputer Ref . Maamal. Ho. 9000614-B, Scientific Data 
Systems, Inc., Santa Monica, California, 196i)-, P. h. 
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The reader will note that this scheme permits xiltimate access to 6kK of 
memory in 2K blocks. Because any combination of bits can be used in the eight 
registers, a user's program may occupy as much as 16K located randomly in 
non- contiguous blocks of 2K throughout the memory. The substitution of bits 
(or relabeling) is performed on the address presented to the memory by the 
machine, hence the user's program is effectively connected together into one 
strip of continuous memory beginning at (local) location 0. The problem of 
relocation is thus eliminated and the problem of allocation is greatly simplified. 

Memory protection reduces to allotting memory to each user in multiples of 
2K and detecting when the user attempts to exceed his allotment. In our scheme, 
a memory reference pointing to am R. with the contents lOOOOOOp is 
an indication that the block of memory involved has not been assigned, and it 
results in a NOP and a trap to location OOO^J-lr.. At the occurrence of the trap, 
the P counter contains the location of the offending instruction, except in the 
case of an attempted jiimp to an out of bounds location, in which case it contains 
the following information: 

Notation: In q: OM o^ q. is the xinrelabeled location of the operation 
and 0( is the effective unrelabeled address. 



q: BRM o< fl) oL illegal, (P) = q. 

\2)cL legal buta+1 illegal, (p)= of +1 

q: BRR oc fl) ^ illegal, (P) = q 

12) («)+l illegal, (P)=(0C)+1 

q: POP (P)=q' 
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An. intermediate level of memory protection is afforded by the flag bits 
F^. Reading and writing in any assigned block (i.e.,(H.) j^ 1000000- ) of memory is 
permitted if the associated F.= 0. If F.= 1, the associated block is read - 
only . An attempt to store information in a read-only block results in a NOP and 
a trap to location 000i|.3g. The P counter contains the same information as it 
woTild in the case of an absolute protection violation. 

To set RLl it is necessary to execute an ECM 21000, which clears the 
register, followed by the execution of a POT instruction. To set RL2 an 
ECM 20^00 is executed. 

Normal addressing is also used under certain conditions. When the re- 
labeling registers are used, however, special addressing is said to apply. 
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k.O USER MODE 

The maxjhine which the users program, i.e., the 930 in the user mode, is 
as described in the computer manual except for the following changes: 

l|-.l AH privileged instructions axe forhidden. 

k.2 A new class of operations called system programmed operators 
(SYSPOP) is provided. Although system programmed operators 
axe, in fact, ordinary programmed operators, the user thinks 
of them as new and more powerful machine instructions since 
he does not have to allocate any of his own storage for them. 
In addition, the user may define his own set of programmed 
operators as he desires and exactly as explained in the manual. 
The distinction between system and local programmed operators 
is described in detail in Section 6.0. 

4.3 Special addressing applies to all instructions in user mode. 
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5.0 MOKITQR MODE 

In monitor mode, the 930 has its full complement of orders including 
the privileged instmctions. Addressing is normal, and the memory extension 
register may even be used if desired. Two changes distinguish this mode from 
the normal mode. 

5.1 If an instruction is executed in which the sign bit (which is 
normally unused) is one, special addressing (relabeling) applies 
for that instruction only. Monitor programs can thus conveniently 
access information in user areas. Special addressing will also 
apply to any instruction for which the sign bit of any word fetched 
during the determination of an effective address is equal to one. 
More precisely, relabeling becomes effective when the sign bit 

is detected, and the machine will remain in this mode for the 
duration of the current instruction. Thus, if the sign bit of 
a word fetched during indirect addressing is equal to one, all 
further references to memory made by this instruction will be 
relabeled. 

5.2 Because of the technique adopted for changing modes, it is 
necessary to modify the convention for storing the contents of 
the overflow indicator at the time of performing subroutine 
entries. Normally, the state of the overflow indicator is stored 
in the sign bit of the subroutine link. Since the sign bit is 
now reserved to indicate special addressing in monitor mode, it 
is necessary to move the state of the overflow indicator to Bit 2 
of the link. Note that this applies only in the case of monitor 
mode and is not true in normal mode or user mode. 
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5.3 To enable interrupt routines to restore the overflow indicator 
properly on return, a new instruction KRI ( 01100000 ) has been 
added. BRI (Branch and Return from Interrupt routine) functions 
in a manner similar to BKR with the following exceptions: 

1. It does not increment the retiam address. 

2. It first clears the overflow indicator and then 
sets it with the contents of Bit 2 in the retiirn 
address word. (BKR simply merges the two indicators.) 

3. It terminates the current priority interrupt level. 
BRI is a privileged instruction and hence cannot 
be executed in user mode. It should be noted that 
in monitor mode, the termination of interrupt levels 
is no longer accomplished by BRU*, hence it is legal 
to do a BRU* in an interrupt routine. Furthermore, 
BRI* may be executed to any depth. In normal mode, 
termination of interrupt levels is accomplished 
both by BRU* and BRI. The existence of a new 
instruction, BRI, in normal mode is a departure from 
the design goal of preserving normal SDS 930 operation 
in normal mode; BRI is, however, otheirwise an tin- 
defined instruction, and it is advantageous to be 
able to run hardware diagnostics in both monitor 

and normal modes. 
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6.0 CHAHGING MODES 

Pushing the start button on the console forces the machine into normal 
mode. This is the only manner in which the transition to normal mode can be 
made. The transition from normal to monitor mode is made by execrating an 
ECM 22000. The transition frcan monitor to user mode is made by executing wj^ 
a'ump to a relabeled location. The user can cause a transition from user to 
monitor mode by executing a SYSPOP. There is no means of going directly from 
nonnal mode to user mode. 

It should be noted that, although the above-mentioned means of making 
mode transitions exhaust the possibilities available to the programmer, there 
are two other causes of such transitions. First, the occurrence of an interrupt 
or trap when in user mode will cause a transition to monitor mode. Secondly, 
following the execution of a single instruction interrupt routine, a transition 
to user mode will occur if the machine was in user mode at the time that the 
interrupt occurred. 

In order that system subroutines be able to serve both the user and the 
system itself, an indication of the mode before entry is preserved in the 
subroutine link. Bit 0=1 implies a transfer from user mode, and Bit 0=0 
implies an entry from the system. Bit is used for this purpose in order to 
make data access independent of mode ( cf . Section T.O) and to restore the 
proper mode upon return. 

When attenipting to execute a transfer frcan monitor mode to relabeled 
memory (and thus to user mode) which is out of boxinds, the resulting trap 
forces Bit of the link to a 1. The monitor must take this effect into account. 
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7.0 PROGRAMMED OISRATORS 

In his program, the user may execute one of two types of programmed 
operators. An instruction in which Bit is and Bit 2 is 1 is a normal 
programmed operator, local to the user's area of memory. As such, the user 
must allocate space in local locations 100 through 177 for transfers to 
programmed operator suhroutines in his own memory. If, however. Bit of 
the instruction is 1 and Bit 2 is 1, the machine changes to monitor mode 
before executing the programmed operator. Thus, the user is sent automatically 
■^° a- ctual locations 100 throxogh 177> where system programmed operators service 
his program. 

System programmed operators are included in the system routines mentioned 
in Section 6.0. The link for a programmed operator is location 0. If a user 
executes a SYSPOP, Bit of the link is 1. Since programmed operators refer to 
their data indirectly via their link, special addressing is applicable and the 
user's data will he accessed. On the other hand, if the system programmed operator 
is used hy the system itself. Bit will be 0, and normal addressing will apply. 
Bit may be inspected by the system to determine at interrupts whether the 
user was in his own program or whether he was in a system programmed operator. 

Programmers should realize that in user's mode, Bit has significance in 
the case of programmed operators. It is an error, then, to use Bit of a 
programmed operator as storage for any purpose. Bit is otherwise tinrestricted 
for the user. 
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8.0 OTHER CSAICSS 

The following changes axe not visible to the user, Mt serve to provide 
for security of the system ftroa user action. The occurrence of an interrupt 
request from the interrupt priority Ic^ic during the execution of an "execute" 
instruction (or a long chain of IXUs) results in the termination of the process 
and the execution of a lOP. At the cosset ion of the HOP, the highest priority 
interrupt request is honored, and the P counter contains the address of the 
interrupted instiniction; hence, the normal interrupt routine exit will retuam 
to the interrupted instruction which wiU hegin execution anew. 

Sijnilarly, when relabeling, the execution of instructions involving indirect 
addressing is interrupted when an interrupt request occurs during the indirect 
addressing liiase of the ezecution. 

Also, an interzoipt request at the coinpletion of a MX instruction which 
calls for a Jump causes the execution of a HOP (at the completion of which 
the intenrupt can occur). In this case the P coxmter contains the location 
specified by the Jusrp. 

Finally, when in user mode interrupt requests axe honcared immediately 
following the execution of ROV and RIO instructions . 

Each of the features described above is effective both in monitor and 
user mode; in normal mode none function -- the CHJ behaves exactly as a 
normal SDS 930. 



